Versions Compared

Old Version 7

changes.mady.by.user Jérôme LELEU

Saved on

compared with

New Version Current

changes.mady.by.user Misagh Moayyed

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

I. How to use OAuth server support configured for CAS server ?

Once you will have configured your CAS server with OAuth server support, you will be able to communicate with it through OAuth 2.0 protocol (http://tools.ietf.org/html/draft-ietf-oauth-v2-31) :protocol.

1) /oauth2.0/authorize

It's the url to call to authorize the user : the CAS login page will be displayed and the user will authenticate. After successfull authenticationAfter successful authentication, the user will be redirected on OAuth callbackUrl with a code. Input GET parameters required : client_id and redirect_uri.

...

It's the url to call to get the profile of the authorized user. Input GET parameter required : access_token. The response is in JSON format with all attributes of the user.

 

II. How to add OAuth server support in CAS server ?

...

Code Block
languagehtml/xml
<dependency>
  <groupId>org.jasig.cas</groupId>
  <artifactId>cas-server-support-oauth</artifactId>
  <version>${project.version}</version>
  <scope>runtime</scope>
</dependency>

2) Add the OAuth20WrapperController

...

Code Block
languagehtml/xml
<bean
  id="oauth20WrapperController"
  class="org.jasig.cas.support.oauth.web.OAuth20WrapperController"
  p:loginUrl="http://mycasserverwithoauthwrapper/cas/login"
  p:servicesManager-ref="servicesManager"
  p:ticketRegistry-ref="ticketRegistry"
  p:timeout="7200" />

...

with its mapping in the handlerMappingC bean (cas-servlet.xml) : 

Code Block
languagehtml/xml
<bean id="handlerMappingC" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
  <property name="mappings">
    <props>
      <prop key="/logoutserviceValidate">logoutController<>serviceValidateController</prop>

      ......... 
..................

 
      <prop key="/403.htmlstatistics">passThroughController<>statisticsController</prop>
      <prop key="/oauth2.0/*">oauth20WrapperController</prop>
    </props>
  </property>
  <property name="alwaysUseFullPath" value="true" />
</bean>

...

3) Add the needed CAS services

3.1) Callback Authorization

One service is need to make the OAuth wrapper works in CAS. It defines the callback url after CAS authentication to return to the OAuth wrapper as a CAS service.

Note: the callback url must in fact end with "callbackAuthorize". 

Code Block
languagehtml/xml
titleCAS 3.5.x
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
  <property name="registeredServices">
    <list>
      <bean class="org.jasig.cas.services.RegisteredServiceImpl">
        <property name="id" value="0" />
        <property name="name" value="HTTP" />
        <property name="description" value="oauth wrapper callback url" />
        <property name="serviceId" value="${server.prefix}/oauth2.0/callbackAuthorize" />
      </bean>
...

Starting with CAS 4, this configuration is made more explicit such that specific OAuth Services are now recognized by CAS:

Code Block
languagehtml/xml
titleCAS 4.x
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
  <property name="registeredServices">
    <list>
      <!-- A dedicated component to recognize OAuth Callback Authorization requests -->
      <bean class="org.jasig.cas.support.oauth.services.OAuthCallbackAuthorizeService">
        <property name="id" value="0" />
        <property name="name" value="HTTP" />
        <property name="description" value="oauth wrapper callback url" />
        <!-- By default, only support regex patterns if/when needed -->
        <property name="serviceId" value="${server.prefix}/oauth2.0/callbackAuthorize" />
      </bean>
...

3.2) OAuth Clients

A second service is necessary to register an OAuth client client: the name and the description of

  • The name and the description of the CAS service are

...

  • the key

...

  •  and secret

...

  •  of the OAuth client. 
  • The theme is the actual service name that is to be used in the UI when services are asked for Authorization once the CAS login session has been established.

For each OAuth client, a CAS service needs to be added in configuration.For the in memory service registry, you add the two services in the deployerConfigContext.xml : 

Code Block
languagehtml/xml
titleCAS 3.5.x
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
  <property name="registeredServices">
    <list>

      <bean class="org.jasig.cas.services.RegisteredServiceImpl">
        <property name="id" value="01" />
        <property name="name" value="HTTPthe_key_for_caswrapper1" />
        <property name="description" value="the_secret_for_caswrapper1" />
        <property name="serviceId" value="oauth wrapperclient callbackservice url" />
        <property name="serviceIdtheme" value="http://mycasserverwithoauthwrapper/oauth2.0/callbackAuthorize" />
TheActualServiceName" />
      </bean>
...

Starting with CAS 4, this configuration is made more explicit such that specific OAuth Services are now recognized by CAS:

Code Block
languagehtml/xml
titleCAS 4.x
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
  <property name="registeredServices">
    <list>
     </bean> 
      <bean class="org.jasig.cas.support.oauth.services.RegisteredServiceImplOAuthRegisteredService">
        <property name="id" value="1" />
        <property name="name" value="the_key_for_caswrapper1serviceName" />
        <property name="description" value="the_secret_for_caswrapper1" /Service Description" />
        <!-- Supports regex patterns by default for service ids -->
        <property name="serviceId" value="http://mycasserver/login"oauth client service url" />
        <property name="clientId" value="client id goes here" />
        <property name="clientSecret" value="client secret goes here" />
      </bean>
...

Note that there are specific properties, clientId and clientSecret dedicated to OAuth clients for configuration. 

3.3) (Optional) CAS OAuth Client using another CAS OAuth Server

If you have one CAS server configured with the CasWrapperProvider20 (the client) to communicate with a CAS server wrapping OAuth 2.0 protocol (the server), you have the name and description of the service in CAS « server » matching the key and secret of the identity provider defined in the CAS « client » :

 

Code Block
languagehtml/xml
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
  <property name="id" value="1" />
  <property name="name" value="the_key_for_caswrapper1" />
  <property name="description" value="the_secret_for_caswrapper1" />
  <property name="serviceId" value="http://mycasserver/login" />
</bean>

<bean id="caswrapper1" class="org.jasig.cas.support.oauth.provider.impl.CasWrapperProvider20">
  <property name="key" value="the_key_for_caswrapper1" />
  <property name="secret" value="the_secret_for_caswrapper1" />
  <property name="callbackUrl" value="http://mycasserver/login" />
  <property name="serverUrl" value="http://mycasserverwithoauthwrapper/oauth2.0" />
</bean>

...

This controller returns a profile for the authenticated user (identifier + attributes), found with the access token (CAS granting ticket).

i) OAuthRegisteredService (org.jasig.cas.support.oauth.services)

CAS 3, OAuth clients are registered via the above component in the service registry. Allows for options to define service name, client id and secret. 

j) OAuthCalllbackAuthorizeService (org.jasig.cas.support.oauth.services)

CAS 4, the callback authorize service is to be defined via the above specific service in the service registry (use regexp pattern).

k) OAuthRegisteredCallbackAuthorizeService (org.jasig.cas.support.oauth.services)

CAS 4, same service as above but defined as Ant pattern.